CVE-2018-5560 - Vulnerability Details - OpenCVE

A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00472.

Key SSVC decision points have not yet been added.

Vendors	Products
Guardzilla	Gz521w Gz521w Firmware

Configuration 1 [-]

AND

cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-17329	A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device.

Fixes

Solution

There is no vendor-provided fix available, see work_around.

Workaround

Users concerned with video privacy should disable the cloud storage functionality provided by the vendor.

References

Link	Providers
https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/
https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/

History

No history.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2019-01-31T21:00:00Z

Updated: 2024-09-16T21:04:09.840Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5560

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-31T21:29:00.270

Modified: 2024-11-21T04:09:03.990

Link: CVE-2018-5560

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Guardzilla All-In-One Video Security System", "vendor": "Practecol, LLC", "versions": [{"status": "affected", "version": "2018"}]}], "credits": [{"lang": "en", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "datePublic": "2018-12-27T00:00:00", "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798", "lang": "en", "type": "CWE"}, {"description": "Use of Hard-coded Credentials", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-31T20:57:01", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}], "solutions": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "title": "Guardzilla All-In-One Video Security System Hard-Coded Credential", "workarounds": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2018-12-27T14:05:00.000Z", "ID": "CVE-2018-5560", "STATE": "PUBLIC", "TITLE": "Guardzilla All-In-One Video Security System Hard-Coded Credential"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Guardzilla All-In-One Video Security System", "version": {"version_data": [{"version_name": "2018", "version_value": "2018"}]}}]}, "vendor_name": "Practecol, LLC"}]}}, "credit": [{"lang": "eng", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798"}, {"lang": "eng", "value": "Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/", "refsource": "MISC", "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"name": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/", "refsource": "MISC", "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}, "solution": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:40:50.671Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2018-5560", "datePublished": "2019-01-31T21:00:00Z", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-09-16T21:04:09.840Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D9B0D0E-985D-4D0C-9889-6184E6BF391D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*", "matchCriteriaId": "2763BE91-5523-44AB-9FB2-A59F2C3AE186", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}, {"lang": "es", "value": "La dependencia de una credencial est\u00e1tica embebida en el dise\u00f1o del sistema de almacenamiento basado en la nube en Guardzilla All-In-One Video Security System, de Practecol, permite que un atacante vea los datos privados de todos los usuarios del dispositivo Guardzilla."}], "id": "CVE-2018-5560", "lastModified": "2024-11-21T04:09:03.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-31T21:29:00.270", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}